Setup OpenVPN on Ubuntu 18.04 Server

Deprecated: Function create_function() is deprecated in /var/www/magazinelinux.com/wp-content/plugins/codecolorer/lib/geshi.php on line 4698

A VPN access is the best way to reach your server through a secure connection . You may access it from everywhere without worrying about internet security issues. You may use it as a secure access to internet too, i.e. you may connect trough a free internet access point but in a secure way , trough an encrypted tunnel , and local hackers couldn’t spy on your passwords and online transactions.

Install the packages

Let’s install openvpn packages required.

sudoapt-get updatesudoapt-get install openvpn easy-rsa

First we will create a security certificate authority for our new VPN access . We should create a template folder in our home directory with the following command:

make-cadir ~/openvpn-cacd ~/openvpn-ca

To customize our CA , we must edit the vars file in the recently created directory:

nano vars

Towards the bottom of the file, look for the configuration that sets the field defaults for the new certificates.Edit the values as you want, but do not leave them blank:

Now, we can use the variables that we set and the easy-rsa utilities to build our certification authority. Make sure that it’s in the openvpn-CA directory, and then generate the vars file that you just edited:

cd ~/openvpn-casource vars
...
Output
...
NOTE: If you run ./clean-all, I will be doing a rm-rf on /home/sammy/openvpn-ca/keys

Ubuntu 18.04 requires an openssl.cnf file. In the certificates’ folder there are 3 templates for that file. We should copy the template 1.0.0 as openssl.cnf

<span class="">cp openssl-1.0.0.cnf openssl.cnf</span></span>

Make sure the you will follow with a clean environment and then build your own CA.

./clean-all

./build-ca

This will start the process of creating the root certificate authority key and the certificate.Since we fill the vars file, all values must be filled in automatically.Simply press Enter through the indications to confirm the selections.

Now we have a CA that can be used to create the rest of the files we need.

./build-key-server server

Do not enter a challenge password for this configuration. At the end, you will have to enter “yes” to the two questions to sign and confirm the certificate:

Next, we need to generate some other elements. We can generate a strong Diffie-Hellman key to use during the exchange of keys by writing:

./build-dh

Then, we can generate an HMAC signature to strengthen the server’s TLS integrity verification capabilities:

openvpn --genkey--secret keys/ta.key

Next, we can generate a client certificate and a pair of keys. Although this can be done on the client machine and then we can sign it by the server , in this guide the key signed on the server will be generated for simplicity reasons .

We will generate a unique user key-certificate for this guide, but if you have more than one user, you can repeat this process as many times as you wish.Passing a unique value to the script for each client.

To generate credentials without a password, to help with automated connections, use the build-key command like this:

cd ~/openvpn-casource vars
./build-key client1

Next, we can start settiup up the OpenVPN service using the credentials and the files we have generated. To start, we need to copy some files to the / etc / openvpn configuration directory.

We can start with all the files that we just generated. These were placed inside the ~ / openvpn-ca / keys directory . We need to move our cert and CA key, our cert and server key, the HMAC signature, and the Diffie-Hellman file:

Next, find the section on cryptographic encryption looking for the commented lines of cipher. The AES-128-CBC encryption offers a good level of encryption and is well supported.Delete the “;”To uncomment the AES-128-CBC cipher line:

cipher AES-128-CBC

Below this line, add an auth line to select the HMAC message summary algorithm.For this, SHA256 is a good option:

auth SHA256

Finally, look for the user and group settings and remove the “;” at the beginning of the line :

user nobody
group nogroup

Upload DNS Changes to Redirect All Traffic Through VPN

The previous configuration will create the VPN connection between the two machines, but will not force any connection to use the tunnel. If you want to use the VPN to route all your traffic, you may want to upload the DNS settings to the client computers.
You can do this by uncommenting some policies that will setup client machines to redirect all web traffic through the VPN. Find the redirect-gateway section and remove the semicolon “;” From the beginning of the redirect-gateway line :

/etc/openvpn/server.conf
push "redirect-gateway def1 bypass-dhcp"

Just below this line,you’ll find the dhcp-option section. Again, remove the “;” From the front of both lines to uncomment them:

This should help clients to reconfigure their DNS settings to use the VPN tunnel as the default gateway.

Next, we need to adjust some aspects of the server’s network so that OpenVPN can correctly route the traffic.

First, we need to allow the server to redirect traffic.This is quite essential for the functionality we want our VPN server to provide.We can adjust this configuration by modifying the file /etc/sysctl.conf

sudonano/etc/sysctl.conf

In the file, look for the line that sets up net.ipv4.ip_forward . Remove the “#” character from the beginning of the line to uncomment that configuration:

/etc/sysctl.conf
net.ipv4.ip_forward=1

Save and close the file then run the following command

sudo sysctl -p

Set Up a Basic Firewall

You can use the UFW firewall to make sure only connections to specific services are allowed. We can set up a basic firewall very easily using this application.

Different applications can register their profiles with UFW upon installation. These profiles allow UFW to manage these applications by name.

You can see the applications’ list allowed by typing ufw app list, you may enable your firewall with uf enable and then check its status.

sudo ufw app listsudo ufw enablesudo ufw status

We need to re-route some of the traffic that enters the server trough the firewall. We need to modify the rules file to configure masking, an iptables concept that provides dynamic NAT instantly to route client connections properly.Before opening the firewall configuration file to add masking, we need to find the public network interface of our machine.To do this, write:

ip route|grep default

When you have the interface’s name associated with your default route, open the /etc/ufw/before.rules file to add the relevant configuration:

sudonano/etc/ufw/before.rules

This file controls the configuration that must be put in place, before the conventional UFW rules are loaded. Towards the top of the file, add the highlighted lines below. This will set the default policy for the POSTROUTING string in the nat table and will mask any traffic from the VPN:Note: Remember to replace eth0 in line -A POSTROUTING with the interface you found in the previous command.

/etc/ufw/before.rules## rules.before## Rules that should be run before the ufw command line added rules. Custom# rules should be added to one of these chains:# ufw-before-input# ufw-before-output# ufw-before-forward#

# Don't delete these required lines, otherwise there will be errors*filter

. . .

We have to setup UFW to also allow packages sent by default. To do this, we will open the file / etc / default / ufw:

sudonano/etc/default/ufwDEFAULT_FORWARD_POLICY="ACCEPT"

Next, we will adjust the firewall to allow traffic to OpenVPN.If you did not change the port and protocol in the /etc/openvpn/server.conf file, you must open the UDP traffic to port 1194. If you have modified the port and / or the protocol, replace the values that you selected here.

sudo ufw allow 1194/udp

Now, we can reload UFW to update the changes of all the files that we have changed:

sudo ufw disablesudo ufw enable

Our server is now configured to correctly handle OpenVPN traffic.

We need to start the OpenVPN server by specifying the name of our configuration file as an instance variable, after the file name of the systemd unit.Our configuration file for our server is called /etc/openvpn/server.conf, so we will add @server to the end of our unit file when we call it:

Inside the file, we need to make some adjustments.First, look for the remote directive. This points the client to our OpenVPN server address. This must be the public IP address of your OpenVPN server. If you have changed the port on which the OpenVPN server is listening, change 1194 to the port you selected: Next, remove the comment on the user and group policies by removing the “;”:

~/client-configs/base.conf
. . .# The hostname/IP and port of the server.# You can have multiple remote entries# to load balance between the servers.
remote server_IP_address 1194
. . .
proto udp#Downgrade privileges after initialization (non-Windows only)
user nobody
group nogroup

Find the policies that set ca, cert and key.Comment on these directives as we will add the certs and the keys within the file itself:

~/client-configs/base.conf# SSL/TLS parms.# See the server config file for more# description. It's best to use# a separate .crt/.key file pair# for each client. A single ca# file can be used for all clients.#ca ca.crt#cert client.crt#key client.key

Reflect the cipher and auth settings that we set in the /etc/openvpn/server.conf file:

Finally, add some commented lines.We want to include them with each configuration file, but we should only enable them for Linux clients that are sent with a file / etc / openvpn / update-resolv-conf.This script uses the resolvconf utility to update the DNS information for Linux clients.

If your client runs Linux and has an / etc / openvpn / update-resolv-conf file, you must uncomment these lines from the generated OpenVPN client configuration file.

Next, we will create a simple script to compile our base configuration with the relevant certificate, key and encryption files.This will place the configuration generated in the directory ~ / client-configs / files.Cree and open a file called make_config.sh inside the directory ~ / client-configs:

Now, we can easily generate client configuration files. If you continued with the guide, you created a client certificate and a key named client1.crt and client1.key respectively by executing the command ./build-key client1.We can generate a configuration for these credentials by moving to our directory ~ / client-configs and using the script we have made:

cd ~/client-configs
./make_config.sh client1

If everything went fine, we should have a client1.ovpn file in our directory ~ / client-configs / files: client1.ovpn

We need to transfer the client configuration file to the corresponding device.For example, this could be your local computer or a mobile device. Although the exact applications used to perform this transfer will depend on your choice and the operating system of the device, if you want the application to use SFTP (SSH file transfer protocol)o SCP (Secure Copy) on the server.This will transport the VPN authentication files of your client through an encrypted connection.

Here is an example of SFTP command using our example client1.ovpn.This command can be executed from your local computer. Place the .ovpn file in your personal directory: